ico. 


Information Commissioner's Office 


ICO consultation on the draft right of access 
guidance 


Submission made by : NPCC Data Protection/ FOIA Portfolio- Subject 
Rights Group 


Submitted by email to : 


SARguidance@ico.org.uk. 


Tuesday 11 February 2020. 


This submission is made on behalf of the NPCC Data Protection/ FOIA 
Portfolio, following views being sought from all police forces. 


Individual police forces may also have submitted responses directly. 


Q1 Does the draft guidance cover the relevant issues about the 


right of access? 


No 
Unsure/don’t know 


If no or unsure/don't know, what other issues would you like to be 
covered in it? 


*** The general view from respondents in the police service is that the guidance does 
cover the relevant issues. However, the guidance is almost silent on the right of access 
under Part 3 and Part 4, simply referring practitioners to the ICO website instead. If this 
guidance document is intended to cover the rights under GDPR only, it should specifically 
state this under ‘About this detailed guidance’ and establish the appropriate links/ 
updates to the Part 3 and Part 4 guidance; which will require more detail. 


This will also assist the public in their understanding as they are likely to quote the 
guidance in any future challenge/ complaints. 


Q2 Does the draft guidance contain the right level of detail? 


No 
Unsure/don’t know 


If no or unsure/don't know, in what areas should there be more detail 
within the draft guidance? 


*** For GDPR, yes. As above Part 3/ 4 references are limited. 
However, it would be helpful to receive more detailed guidance and examples on 
manifestly unfounded. And to highlight further the limitations of making subject access 


requests in certain circumstances. 


Whilst of course a SAR may be made purpose blind, there is a clear lack of understanding 
from requestors or their representatives of the limitations of SARs when used as the 


primary means by which to seek disclosure for legal proceedings/ litigation. (further 
detail below within Question 4). 


It would also be helpful to include or link to Parts 3 and 4, particularly where there are 
differences (e.g. clarification, source vs origin (what’s the difference), responding 
electronically vs same as requested, extension). And to explain the expectation upon the 
data controller with regards to the source, eg organisation, as opposed to a named 
individual. 


Q3 Does the draft guidance contain enough examples? 


x 


Yes *** 
No 


Unsure/don’t know 


If no or unsure/don’t know, please provide any examples that you 
think should be included in the draft guidance. 


*** There are many good examples, which are helpful. 


Again, there is limited reference to Part 3 examples or references to Part 3 examples 
elsewhere. 


It is acknowledged that there are a number of elements of the legislation that need to be 
considered in some complex scenarios. 


However, to ensure broader consistency across sectors and services perhaps requires 


some detailed examples. In particular, in relation to the application of manifestly 
unfounded/ excessive. (This is of course acknowledged by Q 4.) 


An example(s) of SARs re children (p 13) might be helpful. 


Q4 


We have found that data protection professionals often struggle with 
applying and defining ‘manifestly unfounded or excessive’ subject access 
requests. We would like to include a wide range of examples from a 
variety of sectors to help you. Please provide some examples of manifestly 
unfounded and excessive requests below (if applicable). 


Generally: 


Organisations such as the police forces receive high volumes of requests whereby the applicant 
will ask for a// of their personal data. Due to the nature of police processing an individual’s 
personal data is often mixed in with other third party data, which has to be located / assessed / 
redacted; this can take disclosure officers several weeks / months, to process. It would be 
helpful if this guidance included some indication as to the lengths vis-a-vis, how long an 
organisation is expected to spend furnishing a request. 


Particular issues which seem to be presenting challenges to the police service arise from data 
held in CCTV/ body worn video systems and email systems. 


Reference has been made to requests for emails/ logs of telephone systems which when 
searched might bring back 1000s of returns. Some detailed examples concerning the point at 
which these requests might be deemed manifestly unfounded/ excessive would be beneficial. 


Legal Proceedings: 


As highlighted above, whilst of course a SAR may be made purpose blind, there is a clear lack 
of understanding from requestors or their representatives of the limitations of SARs when used 
as the primary means by which to seek disclosure for legal proceedings. 


It is acknowledged that a SAR may be a way to obtain information which might subsequently 
assist an individual in considering whether to take legal proceedings. 


However, since the removal of the £10 charge the police service has seen a significant increase 
in requests relating to ‘obvious’ legal proceedings (including prospective legal proceedings), 
obtaining legal advice, or for the purposes of establishing, exercising or defending legal rights. 


This issue was recently highlighted within a view published relating to the on-going family 
justice review: 


https://www.judiciary.uk/wp-content/uploads/2019/12/View-Dec-2019.pdf 


Representations are being made in relation to this review and the suggestion that SARs should 
be used for police disclosure. 


The access rights are there to enable individuals to verify the data held and the lawful use of 
such. It is not intended that it should be used to enable the information to be passed on for 
other purposes. So, whilst there is no longer a statutory fee for such, disclosure via this route 
is not and never has been the appropriate means by which to seek information for legal 
proceedings. Basically, the individual will only be able to access their personal data, so 
information which relates to third parties of interest within the proceedings may be redacted or 
withheld. There are also other exemptions which may be considered and applied to withhold 
information that may fall within the scope of the request. 


The key issue is that the Court will not receive all the relevant information they require in order 
to make an informed decision. This will likely lead to information being challenged at court, 
delays in proceedings and further disclosure requests being served upon the police. All of which 
is not conducive to the effective conduct of family proceedings; where the Courts are under 
pressure to deal with cases in a timely manner, nor of course in the interests of the parties or 
the police. 


This is but one example. Individuals, or their representatives, with increasing frequency seem 
to believe that making a SAR is the appropriate route for disclosure when CPIA or Criminal 
Procedure Rules apply. For the reasons above SARs will not provide the relevant and necessary 
information required, which ultimately leads to further disclosure requests or Orders and an 
impact on the public purse. 


It would be helpful for the ICO to add some clarity to the understanding of others outside the 
police service, as following the implementation of GDPR/ DPA 2018 there appears to have been 
an increased misconception, which has a detrimental impact on all parties. 


Perhaps there is an opportunity within the Code to suggest that : 


‘A request is likely to be excessive if it is clear that there is another legal gateway/ statutory 
route to obtain the information and the Act is being used to circumvent that, at an additional 
cost to the public purse. 


This would allow individual forces and the ICO to determine if the subject access is being 
abused, and used as a way of facilitating disclosure where other, more appropriate, and 
established routes are available. 


CCTV/ Body Worn Video 


The Code on Page 3 acknowledges that the right of access is a fundamental right for individuals 
to understand how the data controller is using their data and to check that its use is lawful. 
Personal data collected and processed in such a way is, by its very nature, accurate and up to 
date. 


And when requests are received, quite often individuals ask for “all footage” held on them. This 
potentially requires editing on a frame by frame basis to apply exemptions (in particular Part 3, 
Chapter 3, 45 4 (b) and (e) and Schedule 2, Part 3, 16 and Schedule 2, Part 1 (2)). 


The draft Code suggests at Page 18 that a complex request may be considered one that 
requires specialist work in redacting information. 


Whilst privacy by design may be considered in updating/ replacing or introducing new systems 
and technology, which may assist in facilitating redactions, for many police forces this process 
is carried out by specialist staff with specialist equipment. 


And such a request if dealt with under GDPR can be extended; which is not the case under Part 
3: 


There is a perception from colleagues based on anecdotal evidence that other Data Controllers’ 
(Local Authorities, Universities and Retail) deem all requests for CCTV to be excessive. 


As above if the footage is required for a specific purpose then a more suitable alternative for 
seeking disclosure for that purpose may be appropriate, which may not require the redaction of 
third parties. 


Another issue with BWV arises with particular individuals who are regularly in contact with the 
police. They will make a request for BWV/ CCTV following every interaction/ engagement. 
However, unless the footage captures something extraordinary which impacts on the rights of 
the individual, the requests appear to be excessive. 


It would be helpful if the Code clearly addressed the considerations/ expectations of the ICO 
relating to the video footage. If not addressed within the Code itself then perhaps providing a 
reference to the forthcoming CCTV Guidance, which itself could cover in more detail. 


Investigation of Complaints: 


Similarly, it is acknowledged that individuals will exercise their information rights (subject 
access/ FOIA) when pursuing a grievance against an organisation. 


The nature of police business is such that a lot of our ‘customers’ meet the criteria given on 
page 35/36 from the outset. Data subjects who have pursued all their other avenues available 
to them regarding their issue (the investigation has been resolved, there has been a review 
from Professional Standards, IOPC review and in some case they may also pursued or 
attempted to pursue civil proceedings). These data subjects often find their data protection 
rights are their only way to maintain a dialogue (and cause disruption) to the organisation. 
These data subjects will never explicitly state that they are looking to cause disruption but this 
would appear to be their primary or sole purpose. 


However, it is not uncommon for individuals to use subject access to pursue or reinvestigate 
complaints against the police service. This is despite a full independent investigation having 
already been completed by the complaints department and external bodies such as the IOPC. 
These types of disclosures usually involve the processing of hundreds of documents and a 
duplication of effort on already limited police resources. 


Any request for information that has already been considered for disclosure/ provided via an 
alternative route is excessive and a burden, without serious value. However, there is a view 
that the applicant’s request could not be deemed manifestly unfounded due to the high 
threshold and lack of guidance around this. 


In terms of the reference to a request being excessive, it would be helpful if that was extended 
beyond ‘overlaps with other requests’ to include where consideration of the disclosure of 
documents/ information has previously taken place via another formal/ statutory process. 


Targeting an individual 


Disproportionate requests relating to complaints may also lead in to campaigns against 
individuals. Due to the nature of policing, a data subject may often make unsubstantiated 
allegations about officers and staff who have been involved in the investigation. It is 
acknowledged that every case will require assessment of the particular circumstances but it 
may be helpful to expand on this issue and articulate further. 


In these cases it feels like the data subject will always be able to present an argument that the 
data is important to them (due to the types of data held by a police force) so some further 
guidance would be beneficial otherwise the ‘manifestly unfounded’ exemption appears to 
present an almost impossible threshold. 


This might also include requests a month for Body Worn Video footage to use as evidence 
against an officer, whereby the video may be published on-line. This is not only an abuse of 
process as articulated above but also targeting an employee, where the individual who 
publishes will need to comply with data protection legislation. 


Q5 Ona scale of 1-5 how useful is the draft guidance? 


1 - Not at all 2 - Slightly 3 - Moderately 4 - Very useful 5 - Extremely 
useful useful useful useful 
L] L] L 


Q6 


Why have you given this score? 


From a GDPR perspective - very useful. It gives good examples, clear guidance. The right 
level of detail is provided and well structured. 


However, From a Part 3 point of view, less so. There is scope for the ICO to include 
provision or reference to Part 3/4 detail within each relevant section. 


Failure to do so may create misunderstanding from requestors. There will of course be 
requests that may be submitted to law enforcement bodies that will fall under 
GDPR or Part 3 / 4. It may be useful to make reference to such requests, which may 
be considered complex. 


Q7 Towhat extent do you agree that the draft guidance is clear and easy to 
understand? 
Strongly Disagree Neither agree nor Agree Strongly agree 
disagree disagree 
E L] LJ LJ 
Q8 Please provide any further comments or suggestions you may have about 


the draft guidance. 


As detailed above, references or addressing Parts 3 & 4 of DPA 18 required. 
Page 6 - Asset Registers Include reference to Record of Processing Activities. 


Page 15 - Copies of letters. Should this be clarified that no need to deal with as a SAR ‘if 
providing them’. 


Page 17 - (Extending a request) Talks in detail about the circumstances in which requests 
can be extended by a further two months, however this is restricted to processing under GDPR 
not the DPA’18. 


Page 18 - (Complex requests) ‘Requests that involve a large volume of information may add 
to the complexity of a request. However, a request is not complex solely because the individual 
has requested a large amount of information’. 


For the police service, the fact that there is a large volume of data is a contributing factor due 
to the amount of third party data, contained within. Many of the documents / emails / systems, 
which contain the data subjects personal data are littered / intertwined with a plethora of third 
party data, which has to be reviewed. This is a complex process. Data may fall under GDPR or 
Part 3 DPA and all information has to be carefully considered to ensure that the data controller 
has regard for: 


e the type of information that would be disclosed, 

e any duty of confidentiality owed to the other individual, 

e any steps taken by the controller with a view to seeking the consent of the other individual, 
e whether the other individual is capable of giving consent, and 

e any express refusal of consent by the other individual. 


Page 19 (can we charge a fee?) - Whilst a charge for postage can be made it would be 
helpful if the ICO were more explicit on the circumstances in which the data controller can 
decline posting; for example, other secure data transfer (Egress) is available, or the Data 
Subject can attend a local office. 


Page 22 - (how we should deal with bulk requests) As highlighted already, whilst subject 
access is purpose blind Forces are often explicitly told why the request is being made; 
particularly when it is received via a solicitor in order to defend a claim, or the data subject 
states ‘I need it for court next week’. It is appreciated that that there is no ‘abuse of process’ 
however, further guidance should be provided as to when subject access may not be 
appropriate. The guiding principle of this ‘right’ is to allow the data subject to ensure that their 
personal data is being processed lawfully; for example that it is accurate, up to data, and is not 
being processed for longer than is necessary. This right should not be used as a way of 
circumventing other recognised disclosure routes. One Force was recently criticised by an 
Employment Tribunal Judge who commented that pre-disclosure, via the RoA route was 
unhelpful, as it muddied the water when considered against the actual formal disclosure 
received via the correct route. 


As the ICO is aware, the subject access is to one’s own personal data, it does not extend to the 
provision of documents per se, therefore disclosures made under the subject access sometime 
appear disjointed and out of context. Additionally, the subject access does not routinely 
disclose third party data, which many applicants are requiring. Over the past few years and 
particularly post May 2018, there has been an increase in subject access requests. Many of 
these requests are for civil litigation, whether this is for personal injury, neighbourhood disputes 
or disclosure to the family law court. The latter is actively encouraged when connected to 
private law hearings despite our representation that this will only provide a one sided view of 
the facts. 


Page 23 (narrowing the scope of their request) - This approach, without any tangible ICO 
guidance is totally unmanageable, in a number of cases. For example, a prolific offender with 
hundreds of separate occurrences, combined with multiple Professional Standards complaints 
and years of internal / external email correspondence can and does take weeks to: 


redact third party data 

identity what is already known to the data subject 
establish known tactical capabilities 

avoid prejudicing ongoing investigations 


OF Oy TO “O 


This guidance does not take into account the complexities of Law Enforcement data, which, by 
its very nature is quite often strewn with third party data; most of it not known to the data 
subject. 


Page 26 - Emails 


It would be helpful to provide some further context. Information within emails should be 
retained within appropriate corporate records and data controllers may wish to give 
consideration to records management policies in relation to emails. As mentioned earlier, what 
are the expectations in relation to those systems that may present 1000s of results; how far 
should the data controller be expected to go. 


What if the requestor is unable/ fails to provide further context/ details? 


Page 30 — (In what format should we provide the information?) Data subjects are not 
required to perform an action as a requirement to receive disclosure. 


The data controller is responsible for the security of personal data and should take all 
reasonable steps to ensure that it is protected from loss; therefore, it does not follow that the 
data subject should not have to take action to receive the information (eg by collecting it from 
our premises) unless they agree to do so. Most, if not all, forces send disclosures via secure 
data transfer; this requires the data subject to download a software application, which is an 
action. This guidance is suggesting that the data subject can essentially refuse a more secure 
transfer method and opt for unsecure postage. By following this guidance, organisations will be 
at odds with their security obligations. 


Page 30 - The example of an individual not having to collect from your premises is perhaps 
unhelpful. Whilst an individual would never be required/ forced to come and collect the data this 
works well with data subjects (if they cannot accept secure email.) Often subject access 
disclosures are too sensitive to post leaving secure email and collection from their local 
helpdesk (taken to the helpdesk via secure internal courier) as the most practical options. If 
this is given as an example of something not to do in the guidance this could really impact on 
the relationship with data subjects (which as described above is often challenging from the 
outset). I appreciate you have added the caveat of “unless they agree to do so”. But it is often 
found that our data subject’s will quote edited versions of ICO guidance omitting sections that 
may not suit their narrative. 


Maybe this example could be a bit more nuanced and say something like (eg by travelling to 
collect from your Head Office) 


Page 31 “You should note that although you have provided them with access to their personal 
data, it does not necessarily mean that you have provided then with a copy of their data. This 
depends on whether they are able to download a copy of the information they have requested.” 


Whilst it may be not what this section is seeking to address, a concern has been raised 
regarding how it may be interpreted. As above, for example, many forces will make disclosure 
using a commonly used secure email format (Egress). There is no cost to the data subject. 
Due to the size of video footage (too large to attach to an email) they would need to download 
the file. This statement may ‘open the floodgates’ for data subjects to refuse to download the 
file and say it has not been provided. Guidance notes and step by step telephone guidance will 
be offered as well to data subjects to assist them in using Egress, but there is still a concern 
that this section of the guidance could be used by data subject’s to cause disruption. 


Q9 Are you answering as: 


O An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

O An individual acting in a professional capacity 

X On behalf of an organisation 

O Other 


Please specify the name of your organisation: 


NPCC DP/ FOIA - Subject Rights Portfolio 


What sector are you from: 


Law Enforcement 


Q10 How did you find out about this survey? 


O 


ICO Twitter account 

ICO Facebook account 

ICO LinkedIn account 

ICO website 

ICO newsletter 

ICO staff member 

Colleague 

Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 


aanu aiaauxkaoaouo0ügü gð 


Thank you for taking the time to complete the survey. 


